2019 Year of Compliance | NAVEX Global

Review, Refresh, Revitalize

When was the last time you assessed or trained against your code of conduct? Is it in line with your values and updated to reflect societal changes? There’s a lot at stake. Your code is much more than a single policy. It is the overarching communication tool that summarizes all key policies at a high level.

A code of conduct clearly points out expected behaviors. It demonstrates to employees, as well as external stakeholders, an organization’s commitment to core values. An effective code not only communicates the organization’s mission, but it also serves as an employee resource—a go-to place when questions about behavior or policies arise.

To keep pace with an ever-changing workforce and workplace climate, codes of conduct need to be living documents that are regularly reviewed, revised and updated. Along with aligning to changing regulations, your code needs to resonate with your target audience – your employees.

If a code of conduct doesn’t mention behaviors that concern employees (e.g. harassment, social media, human rights, social responsibility, privacy and bribery), employees will not pay it much attention. And if the related behaviors are unenforceable or unachievable (e.g., “don’t use company assets for any personal matters”), employees will tune out.

Users need to be drawn in to truly comprehend what is arguably the foundation of your compliance and ethics program. If codes are too legalistic and wordy, if some topics are overdone, if a written or online version of the code is dull without graphics or interactivity, readers may glaze over important details. And, if you’re a global company and use US-centric images or language, you are legitimately at fault for not vetting a code with internationally-based colleagues.

If a code is structured or presented in a way that doesn’t properly present both values and risks and uses so many different writing styles that your audience has trouble following along, you’ll lose attention and, worse, interest. If your employees are comfortable with technology and have regular access to the internet, an online, interactive code may be more effective than a 20-page expensive print document.

The best codes are developed by those who know their audiences as well as know that a code is something that needs to be used, not just published.

Traits of a Best-in-Class Code

The codes of leading organizations share common best-practice traits, including:

Alignment with an Organization’s Risk Profile: Leading organizations understand their risk profile and benchmark their code of ethics for employees against industry best practices to ensure relevancy.
Regularly Updated: Leading organizations update their code every two years – or whenever an event such as a change in leadership, geographic footprint, merger or acquisition prompts the need for an update.
Appropriate Tone & Language: Good codes of conduct use tone and language that reflects the organization’s culture. Know your audience. Your code represents your compliance program.
Leverages Links to Other Resources & Policies: The purpose of the code of conduct is to outline the risks and steps stakeholders should take if they have additional questions or need direction. Avoid embedding an entire policy within a code. Best practice codes provide links to additional resources or supporting policies.
Promotes the Organization’s Brand and Values: The code of conduct should clearly outline your organization’s driving principles, a great way to reinforce your values. Use the Code to promote your organization’s brand and reputation.
Serves as an Engaging, User-Friendly Reference Tool with Key Design Elements: Use style elements like colors, callout boxes, branding and video vignettes. Video is essential in breaking up the monotony of text and truly engaging your readers.

Key Steps for Your Organization

Before diving into a code of conduct refresh project, it’s good to revisit the core functions of a code of ethics:

Set the tone for your corporate culture and provide a platform for virtually every other policy you implement.
Communicate expected behavior for employees and point the way to additional resources when situations are complex, difficult or sensitive.
Reduce legal liability by addressing your organization’s key ethics and compliance risks.
Represent your organization’s commitment to integrity to external constituents including business partners and regulators.

With those goals in mind, below are five steps to consider as you’re working toward taking your code of conduct from good to great.

TAILOR TO YOUR PEOPLE

Many organizations’ existing codes of conduct have provisions and perspectives that are worth retaining. Going from a good code of conduct to an excellent code of conduct might be more about tone, design and style—which should reflect your organizational culture and priorities—than overall message or policy.

MAKE IT INTUITIVE. MAKE IT USABLE

Employees who want a quick answer may feel confused and frustrated if they can’t understand what it says—a common problem when a committee of lawyers does most or all of the writing. It’s especially important to clearly describe how employees can ask questions or flag problems, usually through the hotline or helpline. Consider how design impacts readability as well. Short paragraphs are much easier to read than long blocks of copy.

ALIGN WITH YOUR ORGANIZATION’S RISK PROFILE

A best practice for any code of conduct includes making it relevant and complete given a company’s industry and global risk profile. Risk profiles are not static. Collaborate with other departments in your organization to ensure that the code of conduct touches on those issues that are most important.

INCORPORATE EMERGING ISSUES

The world is changing quickly, and codes need to change with it. For example, it might be hard to remember, but just a few years ago, social media risk wasn’t a concern at most companies and likely wasn’t addressed in their codes of conduct. Money laundering used to be something only financial organizations had to worry about. But these issues are now commonly covered in the codes of conduct at many diverse organizations. What are emerging issues that impact your organization? Consider covering them in your code.

ENSURE EMPLOYEES KNOW THEY’RE PROTECTED

Your code of conduct cannot cover everything, so it’s essential that it point employees to additional resources they can turn to for help (calling the ethics hotline, talking to their managers, or members of the HR or E&C teams, etc.). Best practice codes of conduct clearly communicate that employees who report possible misconduct or ask questions will be protected—and underscore the fact that acts of retaliation are acts of misconduct that could result in disciplinary action up to and including dismissal.

Conclusion

Regularly assessing your code of conduct helps you ensure that you’re consistently underscoring your values—and keeping them top-of-mind with employees. Taking a code from good to great can mean a world of difference for all those who rely on it.

Tools & Resources

» REFERENCE: NAVEX Global’s Code of Conduct

» INTERACTIVE: Definitive Guide to Your Code of Conduct

» WHITE PAPER: Updating Your Code of Conduct: A Step-by-Step Approach

» EBOOK: The Crucial Document Every Organisation Needs

Relevant Blog Articles

» Seven Essential Resources for Strengthening Your Code of Conduct

» How to Simplify Your Code of Conduct Attestation Language

» Code of Conduct: Your Corporate Constitution

» Can Your Employees Understand Your Policies? How Readability Impacts Your Ethics

What is the Revision?

In November of 2018, the U.S. Department of Justice revised principle 9-28.700 – The Value of Cooperation in its Justice Manual – aka the Yates Memo.

When the Yates Memo originally shook the compliance world in the fall of 2015, it became synonymous with unwavering commitment to individual accountability for wrongdoing. Any revisions therefore would strike discussion over whether individual accountability is still a priority for the DOJ. It is.

A review of Deputy Attorney General Rod Rosenstein’s announcement of the revisions at the 35th International Conference of the Foreign Corporate Practices Act, should assuage any concern that the Department is straying away from holding wrongdoers accountable. In no uncertain terms, Rosenstein stated: “Under our revised policy, pursuing individuals responsible for wrongdoing will be a top priority in every corporate investigation.”

Instead of a departure from accountability, the revisions are designed to increase enforcement effectiveness and efficiency surrounding individual accountability. This reevaluates the “all-or-nothing” approach intrinsic to the Yates Memo. Previously, corporations would need to provide all relevant information about every individual involved in a potential wrongdoing. Even Rosenstein remarked, at first “it seemed like a great idea.” However, when it comes to implementation, the realities of “all-or-nothing” result in a lot of “nothing” for companies as well as enforcement agencies.

Instead of identifying every individual involved, the revised policy primarily focuses on identifying individuals substantially involved. The principle reads:

“In order for a company to receive any consideration for cooperation under this section, the company must identify all individuals substantially involved in or responsible for the misconduct at issue, regardless of their position, status or seniority, and provide to the Department all relevant facts relating to that misconduct.”

Realistic Implementation

Nuances of good faith are also interwoven into the policy. Discovery efforts necessary to uncover all information about wrongdoing can usurp disproportionate resources and people hours for both corporations and regulators. It also pushes investigations down rabbit holes to return insignificant information about individuals who ultimately may not face prosecution. These are the inefficiencies the revisions aim to ameliorate. Simply put, the DOJ wants all the information a corporation has available and expects reasonably thorough investigations to uncover the necessary relevant information to prosecute key players. This is the key to credit.

"Department attorneys should vigorously review any information provided by companies and compare it to the results of their own investigation, in order to best ensure that the information provided is indeed complete and does not seek to minimize, exaggerate, or otherwise misrepresent the behavior or role of any individual or group of individuals."

Furthermore, these revisions may alleviate the original internal branding concerns coming from the compliance industry about the Yates Memo. When every individual involved in a scheme needed to be identified, internal compliance and legal departments turned into aggressive internal investigators, often including investigating innocent employees who unknowingly happened to be involved in fraudulent schemes. Not surprisingly, this was not a good look for internal departments already struggling with rebranding themselves as teams focused on protecting their people.

Ultimately, these policy changes do not indicate a shift away from the adamancy of individual accountability in the Yates Memo, but rather aligns the language of the law with the realistic implementation of law enforcement.

Key Steps for Your Organization

Since the 2015 release of the original memo, every compliance officer and general counsel has discussed how it represents a fundamental change in interactions with their peers and internal clients. So, what can professionals continue (or start) doing to ensure compliance with the new revisions?

AVOID EXTERNAL INVESTIGATIONS

The best way to avoid an external investigation is to ensure that employees feel confident enough in their organization’s reporting infrastructure and policies that they feel they can report issues without reprisal—and that management can learn of issues and mitigate problems before they turn into potential illegal or unethical behavior. The fear of retaliation may be even higher if employees are reporting on a senior executive, but those are precisely the kind of managers that the Yates Memo contemplates as possible targets.

ENCOURAGE SPEAKING UP & TRAIN PROPERLY

Companies need to reassure employees and encourage them to come forward using the appropriate channels for reporting. Accordingly, this encouragement should also come from the proper training of internal personnel. Being able to successfully conduct witness interviews and manage reports is essential for building trust with those coming forward with a claim of misconduct. Investigations are now fair game for prosecutors, so having it done impartially and effectively is also critical.

IMPLEMENT POLICIES & PROCEDURES

Apart from ensuring reporting mechanisms are well-publicized and defined in company policies, they need to be perceived as credible by employees, vendors, suppliers, and members of the general public—and audited regularly for effectiveness. There should be a company procedure in place to conduct audits, assessments and employee surveys to get a benchmark for effectiveness. Data privacy and protection should also be written into the policies should an international investigation take place. And, the procedure should confirm that any document retention and destruction policy is updated and regularly audited, publicized and attested to by internal personnel.

QUESTIONS TO ASK

Senior management, counsel, and the board should agree upon certain core principles and be able to answer the following questions:

When should investigations be handled internally or externally and who should retain the counsel? In some cases, the board may want to retain counsel instead of allowing the general counsel to handle the matter.
What will be the policy if a senior manager or executive refuses to answer questions or insists on having counsel present? Who will pay for the counsel?
Does the board need additional training on how Yates could affect their operations and decisions that the board may need to make regarding disclosing sensitive information about high-level personnel or even board members themselves?
How will the procedures put in place affect voluntary disclosures under other legal regimes and who in the organization should have ultimate responsibility for making these decisions.

Given how quickly the compliance world is changing, a new tone from Washington is something leaders of organizations can’t afford to ignore. The above questions are just a sampling of what boards and senior management should be considering, preferably with guidance from outside counsel.